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VOLUME V 
IN THE UNITED STATES ARMY 

UNITED STATES 
VS. 

MANNING, Bradley E., PFC COURT-MARTIAL 
U.S. Army, xxx-xx-9504 

Headquarters and Headquarters Company, 

U.S. Army Garrison, 

Joint Base Myer-Henderson Hall, 

Fort Myer, VA 22211 

/ 

The Hearing in the above-entitled matter was 
held on Tuesday, June 11, 2013, commencing at 9:30 a.m., 
at Fort Meade, Maryland, before the Honorable Colonel 
Denise Lind, Judge. 
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DISCLAIMER 

This transcript was made by a court 
reporter who is not the official Government reporter, 
was not permitted to be in the actual courtroom where 
the proceedings took place, but in a media room 
listening to and watching live audio/video feed, not 
permitted to make an audio backup recording for 
editing purposes, and not having the ability to 
control the proceedings in order to produce an 
accurate verbatim transcript . 

This unedited, uncertified draft 
transcript may contain court reporting outlines that 
are not translated, notes made by the reporter for 
editing purposes, misspelled terms and names, word 
combinations that do not make sense, and missing 
testimony or colloquy due to being inaudible to the 
reporter . 
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APPEARANCES : 

ON BEHALF OF THE GOVERNMENT: 
MAJOR ASHDEN FEIN 
CAPTAIN ALEXANDER von ELTEN 

ON BEHALF OF THE ACCUSED: 
DAVID COOMBS 
MAJOR THOMAS HURLEY 
CAPTAIN JOSHUA TOOMA 
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PROCEEDINGS, 

THE COURT: Major Fein, please account 
for the parties . 

MR. FEIN: Yes, ma'am. Your Honor, all 
parties in the court from last recess are again present, 
exceptions are Captain Overgaard and Captain Morrow are 
absent . Captain von Elten is present . 

THE COURT: Are there any issues we need to 
address before we proceed? 

MR. FEIN: Yes, ma'am. A few admin issues. 
First, this morning United States filed what's been 
marked as appellate exhibit 566, the witness list order 
of proposed prosecution witnesses . That ' s an updated 
listing from the previous . 

THE COURT: All right. Thank you. 

MR. FEIN: Also, ma'am, as of 0930 this 
morning there are eleven members of the media in the 
media operations center . There are two stenographers . 
There's no one presently in the trailer, although the 
trailer is available and the courtroom is not filled to 
capacity . 
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THE COURT : All right . Thank you very much . 

MR. COOMBS: Ma'am, I would like to put on 
the record that the government has indicated pretty much 
from this day forward they'll accommodate the request of 
the stenographers to have one come in the morning, one 
come in the afternoon session, and that also the 
stenographers will be given a dedicated pass for the 
media operations center. 

THE COURT: Is that correct? 

MR. FEIN: Yes, ma'am. Also, the United 
States ' understanding is that the court ' s preference or 
directive is that one of the 70 spots for the media will 
actually become 69 spots and a stenographer will be the 
70th spot, so it will actually not be a media spot, it 
will be the stenographer spot . That way the public 
affairs will credential 69 positions, not 70. 

THE COURT: That is actually what I did 
direct you to do. Any objection to that? 

MR. COOMBS: No objection, Your Honor. 

THE COURT: Anything else we need to address? 

MR . COOMBS : No , Your Honor . 
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MR. FEIN: No, ma'am. 

THE COURT : Please call your next witness . 

MR. FEIN: Ma'am, prior to that we're going 
to read some stipulations . 

THE COURT: Can you tell me who those are? 

THE WITNESS: Yes, ma'am. Ma'am, the first 
stipulation is Mr. Peter Artale, prosecution exhibit 
number 70. The next is Mr. Chamberlin, prosecution 
exhibit 71. 

THE COURT: Thank you. 

MR. FEIN: Your Honor, stipulation of 
expected testimony of Mr. Peter Artale, dated 9 June 
2013. 

It is hereby agreed by the Accused, Defense 
Counsel, and Trial Counsel, that if Mr. Peter. 
Artale were present to testify during the merits and 
pre-sentencing phases of this court-martial, he would 
testify substantially as follows : 

One . I am currently employed by the Army 
Counter-intelligence Center, ACIC, with the 902nd 
Military Intelligence Group on Fort Meade, Maryland. 
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ACIC produces finished intelligence products for the 
intelligence community. It often produces these 
products by fulfilling requests for information from 
the Army. It takes finished products and 
disseminates them on SIPRNET and JWICS . 

I am a Web Developer and the Team Lead of 
a team of three software developers . I have worked 
in this capacity and for ACIC for eight years . Prior 
to this position, I worked in web development for the 
Defense Intelligence Agency, DIA, for one year, then 
with Booz Allen on a one year contract with National 
Geo-Spatial Agency. I was a software development 
engineer and programmer in the Air Force for 
twenty— one years . I retired from the Air Force as a 
Master Sergeant. I also have an Associate's degree 
in Computer Science. 

Two . I first became involved in this 
case on approximately 17 March 2010 after my Branch 
Chief, Ms. Jessica Johnson, alerted me to the 
compromise of U.S. Government information. Ms. 
Johnson asked if I could use our system to see who 
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had viewed a certain product . I could, as I had 
developed custom software to track access to 
particular products. This software captures the 
viewer credentials by recording the Internet Protocol 
(IP) address and date/time of access for each user 
who views our ACIC work product. It then assigns a 
unique report key to the access event . This occurred 
before we were contacted by law enforcement in this 
case, as ACIC was notified of the compromise of one 
of our products in March 2010. 

Three. An IP address is part of the 
Transmission Control Protocol /Internet Protocol 
(TCP/IP) . A protocol is the standard language used 
to communicate over a network. TCP/IP is the most 
common "language" that computers use to communicate 
over the Internet and so an IP address is the method 
of identifying a specific computer on a network. 
Only one computer can be assigned a specific IP 
address at one time . Knowing an IP address allows us 
to know which computer on a given network used our 
products . 
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Our software is a custom product which, 
in capturing this user and access information, 
produces metrics which can be used to see which of 
our products are most popular and how our products 
are used. The software only logged views of the 
document in the ".asp" format which is the standard 
way the product would appear on the website, ".asp" 
is a common file format for web pages. This means 
that the software only logged views of the web 
version of the document and not the views of the 
" .pdf " or ".doc" version of the document. Likewise, 
the logs do not indicate whether the document was 
printed or saved, nor do they indicate how long an 
individual looked at the document, if at all. We 
collect this data normally so we can analyze it to 
see where we need to allocate our development and 
maintenance resources to best support our internal 
and external customers . The information produced by 
the tracking software is, therefore, called metrics. 

Four . The metrics are pulled when an 
engineer runs a certain query . These queries can be 
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customized to pull only the information the developer 
wants to see. In this case, we were specifically 
interested in tracking every access to a product 
titled "WikiLeaks . org-An Online Reference to Foreign 
Intelligence Services, Insurgents, or Terrorists 
Groups?" Therefore, I searched the product by 
determining and searching for its product 
identification number, which is "RB08-0617" . The 
product identification number, which is on the 
document itself and assigned internally by ACIC, is a 
identifier unique to each ACIC product . 

Five . This ACIC product "WikiLeaks . org- 
An Online Reference to Foreign Intelligence Services, 
Insurgents, or Terrorists Groups?" is housed on our 
website at "acic.north-inscom.anny.smil.mil" and is 
accessible only via a classified network, such as 
SIPRNET. I wrote a custom query, by IP address and 
visit time, to see every time this particular 
document was pulled from the web server. A custom 
query is a method of pulling information from a 
Database . I pulled these metrics from my own 
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workstation. The data is automatically pulled into a 
Structured Query Language (SQL) table. SQL is a 
computer language for extracting and inserting 
information in a database. It is a standard computer 
language to interact with databases . Printouts of 
SQL queries look like an Excel spreadsheet in that it 
has columns and rows; however, it is not as easy to 
search and organize as an Excel spreadsheet. I, 
therefore, digitally cut and pasted the information 
from the SQL table into an Excel spreadsheet and 
saved the data to my desktop. 

I then organized the spreadsheets in two 
separate manners. The first set is organized by 
visit date. The second is organized by IP address 
and then visit date. I did not alter the content of 
the data in any way when searching for the data, 
moving it from the SQL table to the Excel 
spreadsheet, or while in the Excel spreadsheet. I 
moved the information and organized it in two 
separate manners because it was easier to read. I 
then emailed the metric data to my leadership at ACIC 
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as requested. 

The data is stored securely on our 
servers and is only accessible to the other three web 
developers on my team. I have no reason to believe 
anyone else would have modified the logs in any way. 
This occurred before we were contacted by 
investigators involved in this case, as ACIC was 
notified of the compromise of one of our products in 
March 2010. 

Six. In this case, the ACIC document 
concerned was posted in 2008. I pulled the metric 
data tracking access to this document on 17 March 
2010. The most recent access date listed in the 
metric data is 16 March 2010. The data returned 
included view hits on the document up until the 
morning I ran the data query. The logs are broken 
down by record key, IP address, and visit date. 

Specifically, the metrics tell me the 
following about the user IP addresses who opened the 
website containing the product with a product 
identification number of RB08-0617 in the web page 



Provided by Freedom of the Press Foundation 



1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 



UNOFFICIAL DRAFT - 6/11/13 Morning Session 



format: A user with the IP address 22.225.41.40 
opened the web page on 1 December 2009 at 6:31 PM; a 
user with the IP address 22.225.41.40 opened the web 
page on 29 December 2009 at 2:40 PM; a user with the 
IP address 22.225.41.40 opened the web page on 1 
March 2010 at 6:40 PM; and a user with the IP address 
22.225.41.22 opened the web page on 7 March 2010 at 
11:31 PM. 

Seven. The data for these metrics is 
collected by our custom software automatically when 
someone clicks on one of our links to use our ACIC 
work product. This system captures the time, date, 
and IP address as well as which product is being 
accessed and served out to the requester. We know 
this data is accurate because there is no human 
intervention into the process and because views are 
logged using specific codes and for specific 
products . 

Finally, while it is possible to make 
manual insertions in metric data output, those 
insertions cannot be backdated or over-written. This 
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means whatever output data the system produces cannot 
itself be altered. Furthermore, at the time I pulled 
these logs, I did not know to whom the IP addresses 
were attached or the reasons for which the data was 
being pulled. I had neither the motivation nor 
knowledge required to alter the document . At no 
point prior to pulling the metric log data, while 
pulling the information, or after securing it, did I 
ever alter the data in any way. 

Eight . My Branch Chief forwarded my 
email with these metrics to Mr. Winston Budram, S-6 
and Chief Information Officer of the 902nd MI Group. 
Mr. Budram forwarded the metrics to investigators 
after they contacted our office. 

Prosecution Exhibit (PE) 63 for 
identification is the paper copy of these logs . PE 
63 for ID is a printout of the complete logs that I 
pulled. I put the title "Views of ACIC Product 
RB08-0617 . asp" on the top of the Excel spreadsheet. 
The title is based on the ACIC product identification 
number and the format of the document . On the left 
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side of every page are the logs that I pulled and 
organized by visit date. On the right side of every 
page are the logs that I pulled and organized by IP 
address and then visit date. 

I believe the information on the top of 
the page ("Views of ACIC Product RB08-0617 . asp" ; 
"Record Key"; "IP Address"; and "Visit Date"), which 
is the same as the title and heading information on 
the spreadsheets that I pulled, was automatically 
produced by Excel when the spreadsheets were printed. 

Nine . I am the custodian of the records 
marked as PE 63 for ID and an employee familiar with 
the manner and process in which these records are 
created and maintained, by virtue of my duties and 
responsibilities . PE 63 for ID was made at or near 
the time of the occurrences of the matters set forth 
by or from information transmitted by, people with 
knowledge of these matters . PE 63 for ID was kept in 
the course of regularly conducted business activity. 
It was the regular practice of the business activity 
to make the records . The records marked as PE 63 for 



Provided by Freedom of the Press Foundation 



1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 



UNOFFICIAL DRAFT - 6/11/13 Morning Session 



17 

ID are a true, accurate, and complete copy of the 
original documents. 

Your Honor, the United States moves to 
admit PE 63 for ID as PE 63. 

MR. HURLEY: No objection, ma'am. 

THE COURT : All right . Prosecution exhibit 
63 is admitted. May I see it, please? 

Thank you. 

MR. FEIN: Ma'am, stipulation of expected 
testimony of Mr. Shawn Chamberlin dated 9 June 2013. 

It is hereby agreed by the Accused, Defense 
Counsel, and Trial Counsel, that if Mr. Sean Chamberlin 
were present to testify during the merits and 
pre-sentencing phases of this court-martial, he would 
testify substantially as follows : 

One. I am a Systems Administrator for the S6 
shop of the 902nd Military Intelligence (MI) Group on 
Fort Meade, Maryland. The 902nd MI Group performs 
counterintelligence functions . My section is 
responsible for providing IT support for all unit 
servers. In this capacity, I build new servers and 
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maintain old ones . I have worked in this capacity 
for ten years . Before that I was active duty 
military for nine years and was a Staff Sergeant when 
I left the Army. 

For the last five of my nine years of 
active duty service, I had the Military Occupational 
Specialty (MOS) 33W, which is Intercept Electronic 
Warfare Systems Repair. In that capacity, I was a 
systems administrator . To fulfill my current 
function, I have received Security Plus training and 
have certifications in numerous Microsoft server 
types . I also hold a Bachelor ' s degree in 
Information Systems from the University of Phoenix. 

Two . I first became involved in the 
present case in July of 2011 when my supervisor Mr. 
Robert Conner, the Site Lead for Information 
Technology at the 902nd MI Group, requested that I 
pull Microsoft Internet Information Services (MI IS) 
web server audit event logs for the contacting IP 
addresses 22.225.41.22 and 22.225.41.40 between the 
dates November 2009 and May 2010. MIIS are 
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application logs that are specific to the web server. 
Audit logs are a record of the activity that occurs 
on the server and enable system administrators like 
me to track what users do on the website . Audit logs 
contain data that is automatically written to them on 
a daily basis . 

Here, the audit logs record file activity 
on a web server from the United States Government 
computer assigned to the IP address 199.32.48.154, is 
a computer dedicated to processing classified 
information at the SECRET level. This is the IP 
address for the ACIC website on SIPRNET. 

Three . This data shows what IP addresses 
accessed our system within that date range. An IP 
address is part of the Transmission Control 
Protocol/ Internet Protocol (TCP/IP) . A protocol is 
the standard language used to communicate over a 
network. TCP/IP is the most common "language" that 
computers use to communicate over the Internet . An 
IP address is the method of identifying a specific 
computer on a network . 
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Four. An IP address allows us to know 
which computer on a given network accessed our 
server. In this case, I pulled eighteen log files 
for the above IP address and date range. The files 
are named the following: ex091119.log; ex091201.log; 
ex091214.log; ex091217.log; ex091221.log; 
ex091229.log; exl00207.log; exl00209.log; 
exl00211.log; exl00214.log; exl00301.log; 
exl00302.log; exl00308.log; exl00315.log; 
exl00316.log; exl00317.log, which is the automatic 
naming convention of Microsoft based on date . 

The files display in text format. The 
files contain 86 entries for the IP address of 
22.225.41.22 and 28 entries for the IP address of 
22.225.41.40. The first entry for 22.225.41.22 or 
22.225.41.40 is 19 November 2010. 

Five . These logs are on our external web 
server, which is one of the servers I am responsible 
for maintaining. The web server and the logs are 
located in what is commonly referred to as the 
"DMZ", which is the area between our internal system 
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and the SIPRNET. I pulled the data using a search 
window and searching the IP address for the given 
date range . Then I searched for the two requested IP 
addresses . I then put the files into an internal 
investigation folder and had them burned to a disc. I 
looked at the disc to verify that they were the logs 
that I pulled. 

Six. I am familiar with these logs 
because of my work as a systems administrator. After 
I pulled the logs, they were burned onto a rewritable 
disc by another individual . I reviewed the contents 
of the disc to ensure it contained the logs that I 
pulled. The disc labeled "Log Files 902nd MI 
20 11-0006" contain the logs that I pulled. 
Prosecution Exhibit 64 for Identification is a copy 
of this disc. I attested to the authenticity of these 
logs on 21 June 2012, BATES number: 0044 9439. I 
pulled the logs from the server and did not alter the 
content of the logs in any way. I have no reason to 
believe anyone else would have modified the logs in 
any way while they are on the server as permissions 



Provided by Freedom of the Press Foundation 



1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 



UNOFFICIAL DRAFT - 6/11/13 Morning Session 

22 

to the "DMZ" are very limited. 

Your Honor, the United States moves to 
admit prosecution exhibit 64 for identification as 
prosecution exhibit 64 . 

MR. HURLEY: Ma'am, we have no objection to 
that. May I have a second to speak with Major Fein? 

THE COURT: Yes. 

MR. FEIN: Your Honor, the United States 
requests a brief in place recess . 

THE COURT: Go ahead. We're not actually 
recessing the court, I'm going to let you do what you 
need to do. 

MR. FEIN: Yes, ma'am. 
(BRIEF PAUSE . ) 

MR. FEIN: Ma'am, I have retrieved 
prosecution exhibit 71 and consulted with defense counsel 
and there has been one modification to the stipulation of 
expected testimony. I handed the court reporter PE 71 
and I would direct the court to page two . 

Your Honor, the top of page two at the end of 
the first paragraph or the first partial paragraph, the 
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date 19 November 2010 has been modified to 19 November 
2009, and the accused's, Major Hurley's and Major Fein's 
initials are annotated on that change. 

THE COURT: All right. Major Hurley, does 
the defense agree with this change? 

MR. HURLEY: Yes, ma'am. 

THE COURT: PFC Manning? 

THE ACCUSED: Yes, ma'am. 

MR. Von ELTEN: Ma'am, the United States 
calls Matthew Hosburgh. 

THE COURT: May I see prosecution exhibit 64? 
I think I still need to admit that. Is that better done 
at a recess? 

MR. FEIN: Yes, ma'am, 64. 
THE COURT: Prosecution exhibit 64 for 
identification is admitted. 

Excuse me, Captain von Elten, who is the next 

witness? 

MR. Von ELTEN: Matthew Hosburgh. 
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Whereupon : 

MATTHEW HOSBURGH, 
called as a witness, having been first duly sworn 
according to law, testified as follows: 

DIRECT EXAMINATION 

BY MR. Von ELTEN: 

Q. For the record, you're Sergeant Matthew 

Hosburgh of Denver, Colorado? 

A. Staff sergeant. 

Q. Where do you work? 

A. I'm currently working for an oil and gas 

company in Denver, Colorado. 

Q. And what do you do there? 

A. I do their IT security. 

Q. And what does that entail? 

A. It entails monitoring the networks as well as 

threat and vulnerability research. 

Q. And how long have you been in this position? 

A. I've been there for about two months now, sir. 

Q. And what was your position prior to that? 

A. Prior to that I was a government contractor 
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where I did basically the same type of work for 
citizenship and immigration. 

Q. And what department does citizenship and 

immigration reside in? 

A. Department of Homeland Security. 

Q. And how long were you there? 

A. I was there for three years. 

Q. And how was the work similar; what did you do? 

A. Same type of thing, monitoring networks, 

looking for threats, vulnerabilities and, yeah, that's 
basically it . 

Q. And what did you do prior to that? 

A. Prior to that I was on active duty in the 

Marine Corps . 

Q. And for how long were you on active duty? 

A. For eight years. 

Q. What was your MOS in the Marine Corps? 

A. I was a 2651. 

Q. What is that? 

A. It ' s a special intelligence system 

administrator . 
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Q . What training did you receive in that 

position? 

A. I received numerous military schools as well 

as civilian IT security related courses . 

Q. And what kind of things did that schooling 

teach you? 

A. Everything from system administration, 

servers, networks, to security, basic security and things 
of that nature . 

Q. What kind of work did being a 2651 entail? 

A. Kind of ran the gamut as far as anything from, 

you know, managing servers and network equipment to 
information assurance and security accreditation and 
threat and vulnerability research. 

Q. What kind of systems did you work on? 

A. Worked primarily on classified network 

systems, servers and networks of that nature. 

Q. And what kind of work did you do on those 

classified systems? 

A. Managed the systems, provided access to our 

users as well as I was in charge of the security of those 
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systems, so we had to basically apply policy to those 
systems as well as manage the vulnerabilities and risks 
that the systems faced. 

Q. What year did you leave active duty? 

A. 2010. 

Q. What is your current military status? 

A. I'm a reservist. 

Q. When did you join the reserves? 

A. I joined in July of 2012. 

Q. What do you do in the reserves? 

A. I have the same MOS so I do the same type of 

general work, but I'm currently working as a network 
analysis or I'm a network analyst. 

Q. Let's talk a little bit about a report you 

wrote. Where were you stationed in late 2009, early 
2010? 

A. I was in Stuttgart, Germany. 

Q. And what were you doing there? 

A. I had been stationed there, started out in 

2006. 

Q. Do you remember attending a conference? 



Provided by Freedom of the Press Foundation 



1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 



UNOFFICIAL DRAFT - 6/11/13 Morning Session 

28 

A. Yes, sir. 

Q. What was the conference called? 

A. It was, the title of the conference was called 

here be dragons . 

Q. And who hosted the conference? 

A. It was hosted by the Chaos Computer Club. 

THE COURT: What dragons? 

THE WITNESS : Here be dragons . 
Q. How else is the Chaos Computer Club referred 

to? 

A. It's either known as CCC or C3 . 

Q. How did you know about C3? 

A. Through my research that I was doing just 

trying to stay ahead of security threats, I noticed that 
the conference was basically in our neck of the woods and 
that ' s how I found out about it . 

Q. And where was the conference? 

A. It was in Berlin. 

Q. And when did the conference occur? 

A. It was roughly the 26th of December, 2009 

through the 30th, if I remember correctly. 
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Q. What is the C3 conference? 

A. So the C3 conference essentially, what it 

actually stands for is the Chaos Communication Congress. 
It ' s a conference that basically combines or brings 
together people throughout the hacker community, security 
researchers and just random people, brings them all 
together and they talk about various topics ranging from 
security, hacking, political issues. I mean you name it 
and it ' s probably there . 

Q. And how often is it held? 

A. It's held yearly. 

Q. And why did you attend? 

A. I attended, it was an opportunity to not only 

attend a conference that could potentially I guess show 
some security vulnerabilities that we might be able to 
apply to our command, but is also local and we had some 
extra funds to go travel and go to that conference, so — 

Q. How many days was the conference? 

A. I believe it was five days. 

Q. And how many days did you attend? 

A. I was there for four days. One day was for 
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travel . 

Q. How many people attended the conference? 

A. Roughly about three to 5,000, I believe. 

Q. What kind of facility hosted the conference? 

A. It was your standard just conference center, 

multiple rooms that could host various talks and 
presentations . 

Q. And where were the featured presentations 

given? 

A. The featured presentations? Those were 

reserved for the bigger rooms of the conference center. 

Q. And about how big was the bigger room, how 

many people did it seat? 

A. How many people? Okay. Roughly maybe five to 

a thousand people . 

Q. 500 to a thousand people? 

A. I'm sorry. 500, yes, sir. 

Q. What were some of the main presentations? 

A. Some of the main presentations I recall 

offhand they were talking about, one of the big ones was 
WikiLeaks, they talked about net neutrality, Tor came up. 
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They talked about various topics related to GSM cellphone 
networks. A few others, I just can't recall off the top 
of my head. 

Q. And what language were the talks given in? 

A. They were given in English and some of them 

were also in German. 

Q. Let's talk a little bit about the net 

neutrality presentation. How many speakers gave that 
presentation? 

A. I recall, I believe there was two speakers for 

that one. One main presenter though. 

Q. And how long did the presentation last? 

A. That was about an hour if I remember that one 

right . 

Q. And what is net neutrality? 

A. Well, net neutrality, the way I see it is a 

way to keep the Internet open and free as far as 
preventing any issues or ISPs, Internet service providers 
from regulating it. So their issue or their whole talk 
was about we need to keep the Internet open and free 
instead of having various tiers of regulation on the 
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Internet . 

Q. And what was the purpose of the presentation? 

MR. HURLEY: Objection, ma'am. Hearsay. 
THE COURT: Establish a foundation and his 
personal knowledge . 

MR. Von ELTEN : It goes to the effect on 

listener . 

THE COURT: What was the question? 

MR. Von ELTEN: What was the purpose of the 

presentation? 

THE COURT: Ask for the foundation of 
knowledge. How does he know that? 
BY MR. Von ELTEN: 

Q. How do you know that? 

A. How do I know what the purpose is? Because 

there ' s a summary of the talk before I went and I had 
done some research about that topic. 

Q. And where — 

THE COURT: Overruled. 

Q. Are where did you do your research? 

A. Research just on the open Internet. 
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Q. And what was the purpose of the presentation 

A. It was more about awareness, I remember that 

one. It was in English. The speaker was making a case 
for global open Internet, but specifically for some of 
the issues coming up in France at the time. 

MR. HURLEY: Again, ma'am, hearsay. He's 
just repeating what the presenter told him. 

THE COURT: What are you offering it for? 
MR. Von ELTEN : I'm offering it for, it goe 
to explain why he wrote his report . 

THE COURT: Overruled. 
BY MR. Von ELTEN: 

Q. Let's talk about the WikiLeaks presentation. 

What room was that in? 

A. It was in one of the larger conference rooms 

Q. About how many people attended the talk? 

A. That one was probably closer to a thousand, 

remember it being pretty full . 
Q. Who gave the talk? 

A. The talk was given by Julian Assange . 

Q. And how long did Mr. Assange speak? 
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A. It was about an hour or so. 

Q. And how was the talk relevant to your work at 

the time in the Marines? 

A. It was relevant in the sense that I worked 

with classified information at the time. 

Q. And what was the purpose of the talk? 

A. The main purpose of the talk was really to 

explain what WikiLeaks was and the launch of their, 
basically their new site is what I got from it. They 
talked about what their intentions were and then 
basically what the system provided. 

Q. And what were their intentions? 

A. The intentions were they basically were 

eliciting support from the audience and then I guess 
anybody listening to the conference to leak any type of 
information, not only classified information but 
proprietary trade secrets, anything of that nature. 

Q. I am retrieving prosecution exhibit 43 for 

identification, hand this to the witness. 

Do you recognize the document I've handed 

you? 
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A. Yes, sir. 

Q. What is it? 

A. This is my trip report, after action report 

wrote after I came back from the conference. 
Q. When did you write it? 

A. I wrote it approximately a week after. 

Q . How do you know it ' s your report ? 

A. Well, it has my name on it and it's in the 

format I'm used to. 

Q. Where did you submit it? 

A. Where did I submit it? I submitted it to 

basically my chain of command when I got back. 

Q. Retrieving prosecution exhibit 43 for 

identification . 

Retrieving prosecution exhibit 85 . 
Would you please take a minute to review 
1A12? I believe it's on the second page. 
A . Okay . 

Q. How often were your reports posted online? 

A. How often were they posted? Good question 

because we had just implemented a new system, so we 
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didn ' t really have a frequency of necessarily posting 
them, a standard procedure for that . Since that new 
system, it was kind of became a de facto practice of 
posted after the trip. 

Q. And where were they posted? 

A. We posted to a Sharepoint portal. 

Q. And what was the address of that Sharepoint 

portal? 

A. It was something along the lines of M F E dot 

USMC dot smil dot mil . And then your various section be 
denoted by a G representing and then a number. 

Q. Is that approximately the address (INAUDIBLE) ? 

A. Yes, sir. 

MR. Von ELTEN: Retrieving prosecution 

exhibit 85. 

Your Honor, the United States would move to 
enter prosecution exhibit 43 for identification into 
evidence . 

MR. HURLEY: No objection, ma'am. 
THE COURT: May I see it, please? 
Prosecution exhibit 43 for identification is 
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admitted. 

BY MR. Von ELTEN : 

Q. Let's talk a little bit about this report. 

How did you organize the report? 

A. I organized it basically chronologically so 

the talks I went to, that's the first talk, and then so 
on and so forth throughout the report . 

Q. What information did you put in the summary 

section? 

A. The summary was generally a description 

basically from the conference itself, and then if there's 
anything I needed to add to make it, to make it make more 
sense to my chain of command. 

Q. And what was, how did you construct the 

sections? 

A. The analysis was based off of some of the 

analytical work I had done in our section and also trying 
to make that analysis fit within our organization 
basically . 

Q. What was the purpose of the counter measure 

section? 
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A. That was basically — the purpose behind that 

was to identify if there was a potential threat, security 
threat that maybe we were vulnerable to, and then to see 
if we could actually fix it, fix that vulnerability. 

Q. What was the purpose of drafting this report? 

A. To basically summarize the trip so I could 

show the command actually what I did there, and then also 
to raise some awareness as far as what the issues I found 
there were . 

MR. Von ELTEN : Thank you. No further 
questions, Your Honor. 

THE COURT: Cross examination. 
MR. HURLEY: Yes, ma'am. 
CROSS EXAMINATION 

BY MR. HURLEY: 

Q. Staff Sergeant Hosburgh, good morning. 

A. Good morning, sir. 

Q. When it comes to the document that you were 

just discussing with Captain von Elten, that's a document 
that you wrote? 

A. Yes, sir. 
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Q. By yourself? 

A. Yes, sir. 

Q. And it appears to be a reflection of your time 

spent at this conference that you discussed with Captain 
von Elten? 

A. Yes, sir. 

Q. It was rendered chronologically? 

A. Yes, sir. 

Q. The first thing that you covered was net 

neutrality? 

A. Yes, sir. 

Q. Then WikiLeaks? 

A. Yes, sir. 

Q. Then you'll forgive my computer ignorance, 

exposing crypto bugs through reverse engineering? 
A. Yes, sir. 

Q. And that was followed by some other more 

technical topics of the conversation? 
A. Yes, sir. 

Q. And you started with paragraph one, as you 

were writing you started with paragraph one? 
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A. Yes. 

Q. And you wrote your report chronologically as 

well? 

A. Chronologically, yes, sir. 

Q. In your discussion of net neutrality you 

mentioned terrorist use of the Internet? 
A. Yes, sir. 

Q. And you mentioned that in paragraph one? 

A. Yes. 

Q. In your discussion of WikiLeaks you did not 

mention terrorism or terrorist use of that site, correct? 
A. Correct, sir. 

Q. Now, let's talk about WikiLeaks; the presenter 

you said was Julian Assange? 
A. Yes, sir. 

Q. And he did not mention terrorism in his 

presentation? 

A. Not that I can recall, sir. 

Q. Or a desire to help terrorists? 

A. No, sir. 

Q. That would have been reflected in your report? 
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A. Yes, sir. 

Q. WikiLeaks was focused on the public and the 

public 1 s access to information? 
A. Yes, sir. 

Q. Insuring openness? 

A. Yes, sir. 

Q. And keeping the public well informed? 

A. That's what he said, yes, sir. 

Q. And it wasn't exclusively focused on the 

United States? 

A. It wasn't. They did mention, there was more 

of an emphasis for classified information, however. 

Q. But it wasn't exclusively focused on 

classified information? 

A. Correct, sir. 

Q. They were interested in trade secrets? 

A. Yes, sir. 

Q. And other corporate information? 

A. Yes. 

Q. So you mentioned, let's go back to that 



paragraph one, terrorists and the use of the Internet. 
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You indicated that terrorists use the Internet? 
A. Yes, sir. 

Q. To communicate with each other? 

A. Yes. 

Q. You indicated that an open Internet allows for 

hidden communication? 

A. I believe I recall that, sir. 

Q. It's sort of a, you created this idea that an 

open network allows for terrorist communication on the 
Internet . 

A. Yes, sir, I did. 

Q. Their communication with each other? 

A. Yes. 

Q. From one terrorist to another, and then 

potentially from there to yet another terrorist? 
A. Yes, sir. 

Q. And the point as I understood it — now, when 

there was a discussion of net neutrality, did the 
individual giving the net neutrality talk discuss 
terrorism? 

A. No, sir. That was more of an analytical 
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piece . 

Q . Right . And what you were trying to show in 

your analysis was essentially a cost benefit, right? 

A. Trying to show that if it was open, that 

communication could still exist, yes, sir. 

THE COURT: What communication? 
THE WITNESS : Communication between the 
terrorists. Generally speaking, that's a very general 
term. 

BY MR. HURLEY: 

Q . Right . And your point was that applying 

filters to the Internet to make it less unneutral, to use 
that expression, that would, you weigh what you get from 
it with limiting terrorist communication against the 
costs associated with making it less neutral? 

A. Not necessarily a cost in my mind. They did 

talk about costs . It was more along the lines of if it 1 s 
so restricted, they'll just find another communication 
medium . 

Q. And in your report you did mention that that, 

this making the net less neutral would cost money? 
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A. Yes, sir. 

Q. And you indicated also in your report that 

there would be the potential for it impinging on the free 
flow of speech? 

A. Yes, sir. 

Q. In your report what you didn't say is that 

terrorists used the Internet to gather information; is 
that idea reflected in your report? 

A. Not specifically, but maybe more as a 

(INAUDIBLE), yes, sir. 

Q. And you didn't say that they used the Internet 

to gather information from open source reporting? 

A. Not specifically. 

Q. And you didn't say that they used the Internet 

or they use any specific website for this open source 
collection? 

A. Correct. 

Q. The thrust of your point as you were talking 

about net neutrality was terrorists and hiding their 
communication on the Internet? 

A. Yes, sir. Well, generally. 
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Q. You were involved in military intelligence 

while you were on active duty in the Marine Corps? 
A. Yes, sir. 

Q . And how long were you at intel in CO when you 

were in the Marine Corps? 

A . Approximately about three years . 

Q. And you're familiar with the term intelligence 

gaps? 

A. Yes, sir. 

Q. And an intelligence gap is something we don't 

know? 

A. More or less, yes, sir. 

MR. HURLEY: No further questions, ma'am. 

THE COURT: Redirect? 

MR. Von ELTEN : Nothing, ma'am. 

THE COURT : All right . Temporary or 
permanent excusal? 

MR. Von ELTEN: Temporary. 

THE COURT: All right. Staff Sergeant 
Hosburgh, you are temporarily excused. Please don't 
discuss your testimony or knowledge of the case with 
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anyone other than the accused or the lawyers in the case 
while the trial is still going on. 

I do have a question for the government. I'm 
looking at government exhibits 43 and 44, they appear to 
be the same thing, one is redacted and one is not. 

MR. FEIN: Yes, ma'am. 

THE COURT : I have a motion for prosecution 
exhibit 43. Is that the intent? 

MR. FEIN: The intent was to use it as a 
substitute, yes, ma'am. 

Ma'am, read a stipulation of expected 
testimony for Lieutenant Commander Thomas Hoskins, United 
States Navy Reserve dated 10 June 2013. 

THE COURT: What exhibit is that? 

MR. FEIN: Yes, ma'am. Prosecution exhibit 
111 Bravo, the unclassified redacted version. 

It is hereby agreed by the Accused, Defense 
Counsel, and Trial Counsel, that if Lieutenant Commander 
Thomas Hoskins, United States Navy Reserve, were present 
to testify during the merits and pre-sentencing phases of 
this court-martial, he would testify substantially as 
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follows : 

One . I am a Lieutenant Commander in the 
United States Navy Reserves. As a reservist, I am 
currently assigned to United States Pacific Fleet. In 
1997, I obtained a BS in Marine Transportation and a BS 
in Environmental Science from the Massachusetts Maritime 
Academy. In 2007, I obtained a Masters of Business 
Administration from the Naval Postgraduate School . 

Two. I entered active duty in the United 
States Navy in 1998 and left active duty in 2009. 
While on active duty, I was an F-18 pilot. I joined 
the United States Navy Reserves in 2009. I have 
logged over 1700 hours as a pilot, to include 
approximately 320 hours of combat flight time. I 
have completed the requisite training, to include six 
weeks of ground school, one year of primary training 
for preliminary flight instruction, one year of 
specialty training after I selected intermediate 
training, and eight months of advanced training in 
weapons, formation flying, and carrier landing. 

After completing that training, I was 
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selected to fly F-18s and received my wings. 
Thereafter, I completed one year of F-18 training 
where I received additional training in weapons 
usage, high and low level deployment of bombs, and 
carrier flying. 

As a pilot, I have served as an F-18 
division combat lead. I have operated weapons while 
deployed in Afghanistan and conducted reconnaissance 
while deployed in Iraq. I have deployed three times 
in 2001-02, 2003-04, and 2008 in support of Operation 
Enduring Freedom and Operation Iraqi Freedom. I have 
also served as a flight instructor for three years . 

Three. As a reservist, I currently work 
on planning, which involves concept plans, operations 
plans, and execution orders. After leaving active 
duty in 2009, I began to work at Booz Allen as a 
contractor. Today, I work as a maritime planner for 
Booz Allen. Previously, I worked for Booz Allen on 
matters related to United States Northern Command 
USNORTHCOM maritime division. Currently at Booz 
Allen, I work on USNORTHCOM J6 security cooperation. 
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In my work for the J6, I work on security cooperation 
between the United States and Mexico. Specifically, 
I work on command and control of communications, 
computers, and information, C4I. 

Four . I have worked with classified 
information in my career with Booz Allen and as an 
active duty and reservist pilot. As a pilot, I 
worked with classified information daily for flights, 
mission planning, mission briefing, and certain 
information about the planes. Previously, I worked 
with classified information in my work at Booz Allen 
in the J5 pertaining to homeland defense plans, and 
planning and development of specific plans for 
maritime activities, to include work with the United 
States Coast Guard. I have received a one and one 
half hour PowerPoint training on classification 
procedures and spent about an hour quarterly on 
training. I have received derivative classification 
training. I have also used classification guides in 
my work; I have used the USNORTHCOM classification 
guide to determine the classification status of 
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Information. I did not consider the following when 
making any determination: One. What, if any, 
Of this material was included in open source 
reporting and, two, what, if any, of this material 
was available in unclassified publications, such as 
Army Regulations or Field Manuals . 

Five. In 2011, I was mobilized to United 
States Central Command, USCENTCOM. I was mobilized 
to the J5 planning office, Yemen Branch. While in 
this position, I worked on country-to-country action 
plans and worked with the United States Embassy in 
Yemen and the Yemeni military on plans and security 
cooperation . 

Six. While mobilized at USCENTCOM, I was 
tasked though the Task Management Tool to conduct a 
review for classified information. The J5 office 
plans through the director, who receives taskers . 
The director passed the tasker to me . I received the 
submitted documents from the USCENTCOM JAG office. 
My assignment required me to determine whether the 
submitted documents contained classified information 
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at the time they were compromised. 

Seven. In my capacity as the person 
tasked with reviewing the submitted documents, I 
reviewed the documents for classified USCENTCOM JS 
equities. I reviewed approximately 40 documents 
peliaining to United States v. Private First Class 
Bradley Manning, which the prosecution provided to 
USCENTCOM. The documents provided by prosecution, 
submitted documents, included, among others, 
documents from the Combined Information Data Network 
Exchange Afghanistan, CIDNE-A, and other documents 
related to the AR I 5-6 investigation of the Farah 
incident . 

Eight. When conducting the review, I 
looked at USCENTCOM classification guides and 
Executive Order 13526 and its predecessors. I 
reviewed each submitted document line by line for 
classified information by applying the USCENTCOM 
classification guides . I annotated the basis for 
each classification decision in my sworn declaration 
dated 21 October 2011, Bates numbers: 
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00527378-00527397. Prosecution Exhibit 87 for 
identification is this declaration. All documents 
noted in the declaration contained classification 
markings and were properly classified at least at the 
SECRET level, hereinafter "reviewed documents". 

Nine. Based on my military experience, I 
had prior familiarity with the types of documents and 
information I reviewed. During my deployments, I 
worked with similar classified information pertaining 
to mission planning, mission details, weapons 
systems, and maps of troop locations. 

Ten. The reviewed documents consisted of 
documents collected from CIDNE-A and other documents 
related to the Farah investigation. The reviewed 
documents contained military information, to include 
military plans, weapons systems, or operations; 
significant activity reports, SigAct; operational 
code words when identified with mission operations; 
SigActs related to fact of and general type of 
improvised explosive device (IED) attack at specific 
location on specific date, which would have been 
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known by the enemy that was the subject of that 
report; participating units, and details of movements 
of US friendly forces; concept of operations 
(CONOPS) , Operation Orders (OPORD) , or Fragmentary 
Orders (FRAGOs) ; vulnerabilities or capabilities of 
systems, installations, infrastructures, projects, 
plans, or protection services relating to national 
security; and limitations and vulnerabilities of US 
forces in combat area . 

CONOPs are properly classified as 
confidential upon execution and can be declassified 
one year after completion. Participating units, 
including types, vulnerabilities, locations, 
quantities, readiness status, deployments, 
redeployments, and details of movement of U.S. and 
friendly forces in operations can be properly 
declassified upon execution. 

Eleven. I reviewed and determined that 
21 SigActs from CIDNE— A contained classified 
information according to the classification guides 
and my knowledge and experience . These reviewed 
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SigAct reports from CIDNE— A were all marked as 
Secret . The reviewed SigActs from CIDNE -A contained 
multiple forms of military information, to include 
information related to deploying quick response 
forces and code words, reported the effectiveness of 
IED attacks, which would be known to the enemy that 
was the subject of that report, report the locations 
of IED attacks, which would be known to the enemy 
that was the subject of that report, identified IED 
tactics, techniques and procedures (TIPs) for 
responding to IED attacks, identified TIPs for 
identifying and neutralizing IEDs, friendly action 
reports of finding and clearing caches, weapons 
systems and capabilities, sources and methods of 
Intelligence engagement, rules of engagement, CONOPS, 
descriptions of United States forces, TIPs for 
mission execution, anticipated enemy reaction, 
flexible deterrent options, code words, assistance by 
local foreign nationals in locating suspects, and 
details of enemy attacks . 

CONOPs are properly classified as 
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Confidential upon execution and can be declassified 
one year after completion. Participating units, 
including types, vulnerabilities, locations, 
quantities, readiness status, deployments, 
redeployments, and details of movement of U.S. and 
friendly forces in operations can be properly 
declassified upon execution. The 21 CIDNE-A reports 
that contained J5 equities are located in Appellate 
Exhibit 501 and have the Bates numbers 
00377846-00377846 and 00377888-00377910. These 
CIDNE-A reports are contained within 
PE 89 for identification. 

Twelve. Additionally, I reviewed the AR 
15—6 investigation into a military operation that 
occurred in Farah province, Afghanistan on or about 4 
May 2009. The AR 15-6 investigation into the Farah 
incident was focused on investigating the 
circumstances surrounding a large-scale civilian 
casualties (CIVCAS) incident. The incident occurred 
in Gharani, which is a village in Farah Province, 
Afghanistan. As noted in PE 90 for identification, I 
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found that 13 of the Farah investigation documents 
contained classified information I believed to be 
sensitive and classified because the documents reveal 
TIPs, troop movements, close air support, troops in 
combat (TIC), and graphics showing troop movements. 
The Farah investigation documents that contained J5 
Equities are located in AE 501 and have the Bates 
numbers 00377425-00377480, 00377496, 00377627, 
00377672-00377674 00378029, 00378066, 00378071, 
00378079, and 00378082. These documents are 
contained within PE 90 for ID. 

Thirteen. I reviewed PE 66 for ID, a CD 
contained the video named "BE22 PAX.wmv". This 
video, Gharani video, is a video depicting portions 
of a military operation in Farah Province, 
Afghanistan, separately from the review I conducted 
for classified USCENTCOM J5 equities . 

Fourteen . While on active duty from 
2007—09, I was the strike operations officer 
responsible for planning, training, coordinating air 
wing and air-to-ground operations, which involved 
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coordinating with the Army ground liaison for mission 
coordination of ground targets. In this capacity I 
reviewed video recordings of combat missions . The 
videos captured flight operations using forward 
looking infrared radar (FLIR) . I reviewed the videos 
to ensure the mission achieved its goal, hit the 
target, or reviewed the information captured in a 
reconnaissance capacity. I reviewed hundreds of 
these videos for validation. The Gharani video is 
similar to the hundreds of videos I reviewed as a 
strike operations officer. 

Fifteen. I reviewed the Gharani video 
for sensitive military information. I relied on my 
experience while conducting my review for sensitive 
and classified information of the Gharani video . In 
particular, I relied on my training and schooling, 
experience as a flight instructor, experience with 
operating FUR systems, and experience reviewing 
videos that record imagery as presented in the FUR 
system. 

After my review of the above referenced 
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documents for USCENTCOM J5 equities, I forwarded my 
conclusions and recommendations to Deputy Commander, 
USCENTCOM, an Original Classification Authority for 
his final determination as to whether the information 
is properly classified. 

Your Honor, the United States moves to 
admit prosecution exhibit 87 for identification as 
prosecution exhibit 87. 

MR. HURLEY: No objection. 

MR. FEIN: And the United States moves to 
admit prosecution exhibit 66 for identification as 
prosecution exhibit 66. 

MR. HURLEY: No objection. 

THE COURT: All right. Both exhibits are 

admitted. 

May I see prosecution exhibit 66, please? 
All right. Prosecution exhibits 66 and 87 

are admitted. 

MR. FEIN: Ma'am, the United States requests 
a brief comfort break . 

THE COURT: All right. Any objection? 
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MR. HURLEY: No, ma'am. 

THE COURT: Court is in recess until 20 
minutes to eleven. 

(BRIEF RECESS . ) 

THE COURT: Is the government ready to call 
the next witness? 

MR. Von ELTEN : Yes, ma'am. United States 
recalls Special Agent Mander. 

Agent Mander, let me remind you you're still 

under oath. 
Whereupon : 

MARK MANDER, 

recalled as a witness, having been previously duly 
sworn according to law, testified as follows : 

CONTINUED DIRECT EXAMINATION 
BY MR. Von ELTEN: 

Q. What is an IIR? 

A. An IIR, that's an acronym, it stands for 

intelligence information report . 

Q. Who creates an I I R? 

A. Various military intelligence-like 
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organizations throughout DOD as well as other agencies 
that deal with intelligence typically create them. 

Q. What are some examples of some of those 

agencies? 

A. Army military intelligence, the FBI creates 

them, NCIS, Air Force Office of Special Investigations. 
There ' s others . 

Q. What types of information do they contain? 

A. They contain all types of intelligence 

information relating to counter terrorism information, 
things involving cyber activities, as well as things 
about foreign militaries, things like that. 

Q. And who writes them? 

A. Typically individuals who are assigned in 

military intelligence-like units or other intelligence 
type units that are designated to produce those types of 
reports . 

Q. What is the basis of the content in an IIR? 

A. The basis of the contents can be from sources, 

people that provide information, it can be from other 
military or intelligence organizations actually observe 
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activities for themselves and they want to report it and 
that ' s essentially the mechanism the intelligence 
community uses to share that information to other 
elements . 

Q. How are they used broadly? 

A. Well, there's a system, and I'm not super 

familiar with it because I do criminal investigation, but 
generally speaking, someone will produce a report that 
contains information or intelligence in it . Other 
elements will then see that report and they can then 
generate questions or follow-up questions, which then in 
turn produce more reports . 

Q. And how are they organized? 

A. Can you be more specific? 

Q. Is it like a fact summary, an analysis 

section, does it vary? 

A. It probably varies. It depends on the nature 

of the information. Sometimes they're very short, maybe 
like just one or two pages, sometimes they're very long, 
multiple pages and they are kind of organized in, they 
usually have across the top like a classification, shows 
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the section of the distribution of who gives the report. 

MR. TOOMAN: Your Honor, we'll object based 
on the record. The witness has said he's not super 
familiar with this process to use his words, so we would 
object on personal knowledge. 

A. I have seen many intelligence reports, but I 

don't know all about the process of how they're created. 

THE COURT : All right . Then stop asking 
about the process of how they're created. Sustained. 
BY MR. Von ELDEN : 

Q. Where do you find IIRs? 

A. There's two systems that I would use to look 

up IIRs. I believe I can name the two systems here. One 
of them is called Hot R, H O T R, and I don't know what 
that acronym stands for or if it stands for anything, and 
then there ' s another system called the Multi Media 
Manager, or they typically call it M3 . I know that 
there ' s others . 

Q. What are some of the others? 

A. I don't know the others, I just know that 

there are others and that certain systems are based on 
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like the organizations that produce the reports. So, for 
example, the DOD reports, most of them are in Hot R, but 
if you want to see a report that was published by another 
organization such as like the FBI, you would use M3 . 

Q. What search engine do you use to search for 

IIRs? 

A. Intelink is one of the systems you can use to 

search. 

Q. Do you use Intelink to search for IIRs? 

A. Occasionally. Typically you can also log into 

one of the systems I mentioned and then search for the 
IIRs that way as well. 

Q. How are the results displayed in Intelink? 

A. They're typically displayed kind of similar to 

what Google looks like, somewhat similar. 

Q. And when have you used IIRs? 

A. Well, specifically in this case we did look 

for IIRs that related to WikiLeaks, that keyword. 

Q. Retrieving prosecution exhibit 99 for 

identification. Hand this to the witness. 

THE COURT : Just a minute . Yes . 
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BY MR. Von ELTEN : 

Q. What have I handed you, Agent Mander? 

A. This appears to be, excuse me, declassified 

version of an IIR specifically related to the WikiLeaks 
organization . 

Q. And what is it numbered? 

A. The number is IIR 5391001408. 

Q. And what is the numbering convention based on 

your experience? 

A. The numbers are broken by spaces. The first 

number, five, I believe that indicates the general 
organization such as Army, Navy, Air Force. The second 
number is a three digit number, 391, would be the 
specific organization within that service. The fourth 
set or, excuse me, third set of numbers, it's a four 
digit number, 0014, would be the serial number of the 
report. And then the last two numbers, 08, would be the 
year, the two digit year of the report. 

Q . Would you please take a moment to review the 

report? 

A . Okay . 
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Q. What's an overview of the content? 

A. Generally speaking, the content of this IIR, 

it more or less spells out that the WikiLeaks 
organization was established in December 2006. Its point 
was to encourage the posting of sensitive government and 
corporate documents. Describes the organization as a 
uncensorable Wikipedia for untraceable mass document 
leaking and analysis. And it also goes through, gives 
more details as well as mentions a large number of what 
we call mirror sites and it gives a long list of it . 

MR. TOOMAN: We'll object based on relevance, 

Your Honor. 

MR. Von ELTEN : Your Honor, I'm just having 
him lay foundation for the relevance of the document . 

THE COURT: What's the relevance? 

MR. Von ELTEN: I'm going to do that right 

now. 

THE COURT: I want you to tell me. 

MR. Von ELTEN: Sorry, ma'am. The relevance 
is this document, it was a document searched for by PFC 
Manning on Intelink. 
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THE COURT: Overruled. 

MR. Von ELTEN: Retrieving prosecution 
exhibit 99 for identification from the witness and 
handing the witness prosecution exhibit 85. 

THE COURT: That's now for identification, 

right ? 

MR. Von ELTEN: Yes, ma'am. 
THE COURT: Just a minute. 

MR. Von ELTEN: I hand you what is marked as 
prosecution exhibit 85. 

THE COURT: For identification? 

MR . Von ELTEN : No , ma ' am . 

THE COURT: It's admitted? 
BY MR. Von ELTEN: 

Q. Please review line 19. 

THE COURT : Stop there for just a moment . I 
want to check with the court reporter for the 
admissibility, prosecution exhibit 85 admitted? 

Go ahead . 

Q. Where was the search conducted? 

MR. TOOMAN: Your Honor, the defense is going 
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to object . I believe that this exhibit is computer logs 
This isn ' t a computer expert . The government has not 
admitted foundation that this witness can interpret raw 
data . 

THE COURT: Lay a foundation. 
BY MR. Von ELTEN : 

Q. Agent Mander, what is your position? 

A. I'm a special agent with the Army CID, 

specifically the computer crime investigative unit. 

Q. And what type of computer crimes do you 

investigate? 

A. Generally speaking, we investigate network 

intrusion type incidents . 

Q. Do you review computer logs as part of that 

work? 

A. Yes, we do. 

Q. And what is a log? 

A. A log file is basically a list of activity 

that is recorded typically by a computer or other types 
of systems that show what activities occurred. 

Q. And what kind of activities are recorded? 
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A. Typically the accesses to a computer system or 

perhaps maybe traffic that transits Internet device such 
as a router or switch, stuff like that. 

Q. And how often do you review computer logs? 

A. I used to review them all the time. Now not 

so much, but I still see them fairly frequently. 

Q. And how familiar are you with computer logs? 

A. Fairly familiar. 

THE COURT: Overruled. 

MR. TOOMAN: Your Honor, the defense would 
request the opportunity to voir dire this witness about 
his knowledge of how computer logs are created. 

THE COURT: All right. I'll let you go ahead 
and do it . Are you finished laying the foundation or do 
you have more foundation questions? 

MR. Von ELTEN : Just a little more, ma'am. 

THE COURT: Go ahead. 
BY MR. Von ELTEN: 

Q. What was the source identified in line 19? 

THE COURT : Wait a minute . Now he ' s 
interpreting the logs . Do you have foundation to lay 
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with respect to — 
BY MR. Von ELTEN : 

Q. What is the search reflected in the log? 

MR. FEIN: Ma'am, may I have a moment? 

THE COURT: Yes. 

(DISCUSSION OFF THE RECORD.) 

MR. Von ELTEN: I'm done laying a foundation. 
THE COURT: Go ahead with the voir dire 
respecting foundation . 

VOIR DIRE EXAMINATION 

BY MR. TOOMAN: 

Q. Good morning, Agent Mander. 

A. Good morning. 

Q. Agent Mander, what experience do you have with 

Intelink? 

A. As a user, I've used Intelink to conduct 

various searches . 

Q. Do you know how Intelink was programmed? Do 

you know how it operates? 

A. Can you be a little more specific? 

Q. Do you know how Intelink goes about creating 
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those logs? 

A. I do not know the specifics about that. 

Q. Do you know where Intelink stores its data? 

A. I believe in the local area here in Maryland. 

Q. Okay. Do you have I guess — what sort of 

courses have you taken on computer forensics? 

A. I've taken at least three courses, one offered 

by Guidant Software specific to the program that we use, 
it's called EnCase, also taken two courses at the Defense 
Cyber Investigations Training Academy involving some of 
those same applications as well as other applications . 

Q . And — I ' m sorry . 

A. I've also taken a large data set acquisition 

course that involves the acquisition of large amounts of 
data . 

Q. Could you be I guess maybe offer a little more 

insight into what you learned in the data set acquisition 
course? 

A. Generally speaking, when we conduct 

investigations there are times where we will need to get 
information from say a server. Generally a server is a 
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type of computer that will have large amounts of 
information on it such as log files as well as storage . 
And basically the course taught the students how to 
obtain that information and a little bit about how to 
interpret it . 

Q. How long was the data set acquisition course? 

A. I'd have to go back and look at my resume. I 

believe it was 40 hours. 

Q. And how much of it was focused on obtaining 

data from a large data set? 

A. I would have to go back and look at the 

course, what do they call that, the, with, you know, lays 
out, it's a document that usually lays out how many hours 
are spent on which thing? I don ' t remember . 

Q. Syllabus? 

A. Yeah, syllabus. There you go. 

Q. Do you recall if the bulk of that course was 

on how to actually obtain the data? 

A. Again, I would have to go back and review the 

syllabus . 

Q. When did you take that course? 
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A. I believe that, was taken within the last two 

years . 

Q. You talked a little bit at that course you 

learned about how to interpret data . Did you learn how 
to interpret Intelink logs? 

A. Specifically Intelink logs were not mentioned 

in the course . 

Q. At that course you learned how to interpret 

logs. Are all logs created equally, that is, do logs for 
Intelink look the same as logs for Google or logs for 
ESPN dot com? 

A. No. Most logs will have some uniqueness to 

them, either the formats or the type of data that ' s 
contained in the logs . That will be dependent upon where 
you're obtaining the logs from. 

MR. TOOMAN: Your Honor, we have no further 
questions, but we would renew our objection as to this 
witness ' s knowledge of Intelink logs and their 
interpretation . 

THE COURT: All right. Thank you. It's 
overruled. Proceed. 
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CONTINUED DIRECT EXAMINATION 
BY MR. Von ELTEN: 

Q. Agent Mander, what document is reflected in 

line 19? 

A. In line 19 there's an IP address followed by a 

date and time and then followed by what appears to be the 
actual raw data of what looks like it ' s a search on 
Intelink . 

Q. What is the first IP address? 

A. In line 19 the IP address is 22.225.41.40. 

Q. And what was the search for? 

A. The search appears to be for an IIR and it 

looks like the IIR is the same IIR that you previously 
showed me . 

MR. Von ELTEN: Your Honor, the United States 
moves to admit prosecution exhibit 99 for identification 
into evidence . 

MR. TOOMAN: No objection. 

THE COURT: Prosecution exhibit 99 for 
identification is admitted into evidence . 

May I see it, please? 
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MR. Von ELTEN: Retrieving prosecution 
exhibit 85 from the witness. 

THE COURT: Before you do that, what was the 
date and time on line 19. 

THE WITNESS: The date here is, it looks like 
it's 14 February 2010, and the time is 2334 hours, and it 
appears to be Greenwich Mean Time or Zulu time . 

THE COURT: Thank you. 
BY MR. Von ELTEN: 

Q. Handing the witness prosecution exhibit 99. 

Permission to publish. 

THE COURT: Go ahead. 
Q. Agent Mander, can you please read paragraphs 

three and four? 

A. Paragraph three. It's unclassified for 

official use only paragraph. It read WikiLeaks 
submission guides states it, quote, accepts classified 
censored or otherwise restricted material of political, 
diplomatic or ethical significance, unquote. The website 
provides suggestions for the anonymous submission of 
material and several methods of submitting material for 
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inclusion to an online database . Methods include 
submission via secure upload, email and via discrete 
postal network. 

Paragraph four is an unclassified for 
official use only marked paragraph. Since December '06 
numerous classified and FOUO documents have been posted 
and continue to be available on WikiLeaks dot org site 
and its mirrors . Some of these postings have garnered 
the attention of major news media outlets, yet 
intelligence reporting has largely ignored these leaks . 
This report is being issued in an attempt to raise the 
awareness of this threat . Some of the documents 
discovered on the WikiLeaks website are listed below, 
colon . 

Q. Agent Mander, what is a mirror? 

A. As we discussed yesterday, a mirror is like an 

alternate version of a website that generally reflects 
the content of the original site. 

Q. And what is the purpose of a mirror? 

A. Well, there's many purposes. Sometimes use 

that for redundancy in case the primary website goes 
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down, you'll have an alternate that users can — 
THE COURT: Yes. 

MR. TOOMAN: We'll renew our objection from 
yesterday that this witness doesn't have personal 
knowledge of why a website would use a mirror. 

THE COURT: Overruled. 

THE WITNESS: So redundancy, or generally 
redundancy I guess would probably be the best way to say 
it. 

MR. Von ELTEN : Thank you. No further 

questions . 

THE COURT: Cross examination. 
MR. TOOMAN: Yes, ma'am. 
CROSS EXAMINATION 

BY MR. TOOMAN: 

Q. Agent Mander, you talked about the Intelink 

logs and you looked at those. From the Intelink logs you 
can't tell if prosecution exhibit 99 was printed, 
correct? 

A. That would be correct. 

Q. You also can't tell if it was saved, a copy 
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was saved by the user? 

A. That would also be correct. 

Q. You really can't tell if the user of that 

particular machine even looked at the document, correct? 

A. That's also correct. 

Q. You talked a little bit about the contents of 

that document . I guess the document talked about 
WikiLeaks accepting political, diplomatic and ethical 
contributions, correct? 

A. Yes. 

Q. It didn't talk about accepting contributions 

that would help a military, correct? 

A. Can I see the document again? 

Q. I'm going to retrieve prosecution exhibit 99 

and hand that to the witness . 

A. Can you repeat your question? 

Q. I'm going to go ahead and retrieve the exhibit 

from the witness. 

A. Is it possible that I can keep this while you 

ask your question? 

Q . Sure . 
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You were referred to paragraphs two and three 
by the prosecution and they talked about WikiLeaks 
accepting political, they wanted things that would be of 
political significance, correct? 
A. Correct. 

Q. They be wanted things that would be of 

diplomatic significance? 
A. Yes. 

Q. And they wanted things that would be of 

ethical significance, correct? 

A. According to that paragraph. 

Q. And nothing in that paragraph suggests that 

WikiLeaks was wanting contributions that would be of 
military significance, correct? 

A. It doesn't mention military, but it does 

mention governments and corporations of various 
countries . 

Q. Okay. Governments and corporations? 

A. I guess you could infer military is part of 

the government . 

Q. Okay. Now, that document talks about a number 
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of classified materials that, were released by WikiLeaks, 
correct? You talked about that with the prosecution. 
A. It does, yes. 

Q . And there 1 s nothing in that document that says 

that the enemy viewed those releases, is there? 
A. If you give me a moment here. 

Q . Sure . 

A. No, it doesn't specifically mention any 

enemies having access to the documents . 

MR. TOOMAN: Okay. I'm going to go ahead and 
retrieve the exhibit from you, Agent Mander. Thank you. 
And give that back to the court reporter . And no further 
questions, ma'am. 

THE COURT: Redirect. 

MR. Von ELTEN : Nothing, Your Honor. 

THE COURT: All right. Temporary excusal? 

MR. Von ELTEN: Yes, ma'am. 

THE COURT: Once again, Agent Mander, you're 
temporarily excused. Same rules apply as before. Please 
don't discuss your testimony or knowledge of the case 
with anyone other than counsel or the accused. 
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MR. FEIN: Ma'am, the United States offers to 
read a stipulation. 

Ma'am, this is prosecution exhibit 112, 
stipulation of expected testimony for Lieutenant Colonel, 
Retired, Martin Nehring dated 10 June 2013. 

It is hereby agreed by the Accused, Defense 
Counsel, and Trial Counsel, that if Lieutenant Colonel, 
Retired, Martin Nehring were present to testify during 
the merits and pre-sentencing phases of this 
court-martial, he would testify substantially as follows: 

One . I am a retired lieutenant colonel in 
the United States Air Force . I have a BS in Petroleum 
Engineering from New Mexico Institute of Mining and 
Technology in 1982. I received a Masters of Public 
Administration from Troy University in 1995. I began 
serving on active duty in the United States Air Force 
in 1985 as a second lieutenant. During my career, I 
spent 12 years on active duty and 16 years in the 
California Air National Guard. I retired in 2012. 

I deployed to Kuwait in 2001 with the 
Third Army. I also deployed to Kosovo in 2002 for 
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weather operations. In 2006, I deployed to 
Afghanistan and ran all weather operations in 
Afghanistan. Throughout my career in the Air Force 
as a trained meteorologist, I possessed a Top Secret 
clearance and handled Top Secret information . I 
handled classified information at the beginning of my 
service in 1985 and had training in how to handle and 
identify classified information. I worked with 
classified information at all times during my 
military career . 

Two. From 2009 to February 2012, I 
worked at United States Central Command, USCENTCOM. 
I worked in a Sensitive Compartmented Information 
Facility, SCIF, at USCENTCOM. Initially, I worked at 
the weather desk. After USCENTCOM discontinued the 
weather desk, I was reassigned under the USCENTCOM 
Directorate of Operations J3 as the J3 subject matter 
expert, SME, for identifying J3 classified equities 
within United States Government official 
documentation. In this capacity, I was primarily 
responsible for reviewing documents being processed 
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under the Freedom of Information Act, FOIA, which 
belonged to or contained information from USCENTCOM 
J3. For FOIA requests, I reviewed the requested 
information for classified information to determine 
whether the document could be released under the 
FOIA. Additionally, I conducted review for release 
of information to family members of service members 
who were killed, wounded, or kidnapped within the 
USCENTCOM theaters of operations and the media. I 
also conducted separate reviews for coalition 
partners because the standards were different for 
each. Family members and the media could only 
receive unclassified information. Coalition partners 
could receive certain classified information. 
Classified information in a document could not be 
released under the FOIA even if the remainder of the 
document contained publicly available information 
because the information is still protected. 

Three. In my capacity as the J3 SME, I 
reviewed documents pertaining to United States v. 
Private First Class Bradley Manning, which the 
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prosecution provided to USCENTCOM. The documents 
provided by the prosecution, submitted documents, 
included, among others, documents from the Combined 
Information Data Network Exchange Iraq, CIDNE-I, the 
Combined Information Data Network Exchange 
Afghanistan, CIDNE-A, other documents related to the 
AR 15-6 investigation of the Farah incident, and a 
file named "BE22 PAX. zip" containing a video named 
"BE22 PAX.wmv" Gharani video. 

Four. I was tasked though the J3 Task 
Management Tool . I received the submitted documents 
from the USCENTCOM JAG office. My assignment 
required me to determine whether the submitted 
documents contained classified information at the 
time they were compromised. I reviewed the documents 
for classified USCENTCOM J3 equities . 

Five . To determine whether submitted 
documents were classified at the time of compromise, 
I used three classification guides. I used a 
USCENTCOM classification guide dated before Operation 
Iraqi Freedom, the updated version of that USCENTCOM 
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classification guide dated during Operation Iraqi 
Freedom, and the version of the USCENTCOM 
classification guide that was current at the time I 
conducted the classification review. 

I did not consider the following in 
making any determination: One, what, if any, of this 
material was included in open source reporting; two, 
what, if any, of this material was available in 
unclassified publications, such as Army Regulations 
or Field Manuals; and, three, what, if any, of this 
material may have been shared at the tactical level 
during the key leader engagements described below. 

Six. I applied a process-oriented 
approach toward applying the classification guide to 
each of the submitted documents. First, I would 
determine the date of the document and use the 
classification guide appropriate for each document 1 s 
date . I would determine the document ' s 
classification at the time the document was created. 
Documents I determined that were unclassified were 
removed from the collection of submitted documents . 
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In fact, I approached the documents with a "FOIA 
mindset" and tried to ensure each document was not 
actually classified. I did not presume any document 
was classified and reviewed each line in each 
document for classified information. 

Seven. Second, I reviewed the document 
to determine if it was classified at the time of it 
was compromised according to the appropriate security 
classification guides . I reviewed documents for 
USCENTCOM J3 equities . Documents containing 
intelligence were sent to Mr. Louis Travieso for 
further review for USCENTCOM J2 equities . I 
conducted a line by line review and reviewed each 
document for USCENTCOM J3 equities by applying 
specific paragraphs of the classification guides from 
the appropriate time period. Where the reviewed 
document contained USCENTCOM J3 equities as 
determined by the appropriate USCENTCOM 
classification guide, I marked the document as 
containing information I believed to be sensitive and 
classified. I annotated the basis for each 
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classification decision in my sworn declaration dated 
19 October 2011, which is Bates numbers 
00527370-00527377. Prosecution Exhibit 86 for 
identification is my declaration . All documents 
noted in the declaration contained classification 
markings at the Secret level, hereinafter "J3 
reviewed documents" . 

Eight . The J3 reviewed documents 
consisted of documents collected from CIDNE— I, 
CIDNE-A, other documents related to the Farah 
investigation, and the Gharani video. The reviewed 
documents contained military information, to include 
military plans, weapons systems, or operations; 
foreign government information; significant activity 
reports (SigActs) ; operational code words when 
identified with mission operations; SigActs related 
to fact of and general type of I ED attack at specific 
location on specific date; participating units, 
including types of vulnerabilities, locations, 
quantities, readiness status, deployments, 
redeployments, and details of movements of US 
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friendly forces; concept of operations (CONOPS) , 
operation orders (OPORD) , or fragmentary orders 
(FRAGOs) ; vulnerabilities or capabilities of systems, 
installations, infrastructures, projects, plans, or 
protection services relating to national security; 
and limitations and vulnerabilities of US forces in 
combat area . 

Nine . CIDNE-I and CIDNE-A contained 
SigAct reports. The SigActs were marked as Secret. 
Within the SigActs, several categories appeared 
multiple times . These categories include key leader 
engagements, mission report logs, reports on 
improvised explosive devices, IEDs, and tactics, 
techniques, and procedures (TIPs) in response to 
IEDs, and reports and responses for missions focused 
on duty status-whereabouts unknown (DUSTWUN) . 

Ten. Key leader engagements described 
interactions of members of the military with local 
leaders in Iraq and Afghanistan regarding a broad 
range of topics. Disclosure of the key leader 
engagements would reveal foreign government 
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activities, the involvement of service members with 
local foreign leaders, and the identities of local 
leaders . 

Eleven. Mission report logs described 
troop movements, activities, and engagements with 
hostile forces. The mission report logs describe 
tactics, troop locations, weapons and military 
equipment used . 

Twelve. IED reports detailed the 
casualties inflicted on service members, the 
locations of the attacks, and TIPs for detecting and 
responding to IED attacks . The IED reports recount 
the attacks of hostile forces, troop locations, and 
the capabilities of United States forces . 

Thirteen. DUSTWUN reports stated the 
names and other personal information of kidnapped 
service members and the TIPs in response to locate 
the kidnapped service member. The DUSTWUN reports 
state troop locations, tactics, encounters by 
military forces with hostile forces and foreign 
nationals . 
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Fourteen. The 53 CIDNE-I reports that 
contained J3 equities are located in Appellate 
Exhibit 501 and that have the Bates numbers 
00377912-00377918, 00377921-0377933, 00377935- 
00337938, 00377940-00377949, 00377952-00377958, 
00377960-00377963,00377965-00377980, 
00377983-00377986, 00377988-00378013, and 
00378016-00378026. These CIDNE-I reports are 
contained within PE 88 for ID. The 36 CIDNE-A 
reports that contained J3 equities are located in AE 
501 and that have the Bates numbers 
00377846-00377846, 00377849-00377856, 
00377860-00377871, 00377874-0037788, 
00377886-00377905, and 00377907-00377910. These 
CIDNE-A reports are contained within PE 89 for ID. 

Fifteen. The J3 reviewed documents 
contain SigAct reports from CIDNE-I that I determined 
contained classified information according to the 
applicable security classification guides. These 
SigAct reports from CIDNE-I were all marked Secret. 
Additionally, the J3 reviewed documents contain 
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SigAct reports from CIDNE— A that I determined 
contained classified information according to the 
applicable security classification guides . These 
SigAct reports from CIDNE-I and CIDNE— A were all 
marked Secret . The J3 reviewed documents within 
PE 88 for ID and PE 89 for ID contain multiple forms 
of military information, to include but not 
Limited to the following: One, threat of attack in 
an area by a specific group; two, confirmed that a 
previously reliable source of intelligence provided 
information; three involved direct and indirect fire 
reports; four, reported casualties; five reported 
loss of equipment; six, stated types of weapons 
encountered in an enemy engagement; seven, reported 
the effectiveness of IED attacks; eight, reported the 
locations of IED attacks; nine, identified JED TIPs 
for responding to JED attacks; ten, identified TIPs 
for identifying and neutralizing JEDs; eleven, 
identified by name suspects in investigations; 
twelve, identified quick response force mobilization 
TIPs; thirteen, identified code words; fourteen, 



Provided by Freedom of the Press Foundation 



1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 



UNOFFICIAL DRAFT - 6/11/13 Morning Session 



involved friendly action reports; fifteen, stated 
details of military missions; sixteen, named multiple 
enemy groups; seventeen, reported lack of casualties; 
eighteen, reported lack of loss of equipment; 
Nineteen, identified general enemy TIPs; twenty, 
involved an enemy small arms fire report; twenty-one, 
identified enemy target by name; twenty- two, stated 
effectiveness of enemy actions; twenty-three, 
described a military raid; twenty— four, identified 
sources and methods of intelligence collection; 
twenty-five, identified responses based on 
intelligence gathered; twenty-six, detailed arrest of 
a suspect; twenty-seven, stated detention of a 
suspect would have a significant impact on military 
operations; twenty-eight, described friendly action 
of finding and clearing caches; twenty-nine, involved 
a border operations report; thirty, described a civil 
disturbance; thirty-one, identified unit locations; 
thirty-two, reported enemy casualties; thirty-three, 
stated planned unit movement; thirty-four, stated 
details of combat patrols; thirty-five, described key 
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leader engagement; thirty-six, assessed effectiveness 
of local outreach programs; thirty-seven, detailed 
kidnapping of a service member; and thirty-eight, 
described initiation of DUSTWUN procedures . 

Sixteen. Additionally, I reviewed 
documents from the AR 15-6 investigation into a 
military operation that occurred in Farah province, 
Afghanistan on or about 4 May 2009. The AR 15-6 
Investigation into the Farah incident was focused on 
investigating the circumstances surrounding a 
large-scale civilian casualties, CIVCAS, incident. 
The incident occurred in Gharani, which is a village 
in Farah Province, Afghanistan. 

The documents from the AR 15-6 
investigation that contained J3 equities are located 
in AE 501 and that have the Bates numbers: 00377425- 
00377492, 00377496-00377498, 00377627-00377637, 
00377674-00377675, and 00378029-00378081. These 
documents are contained within PE 90 for ID . As 
noted in PE 90 for ID, I found that these documents 
contained information I believed to be sensitive 
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classified because they reveal operational 
activities, weapons systems, and code words. 

Seventeen. As part of my review of the 
Farah documents, I reviewed a file named "BE22 
PAX. zip" containing a video named "BE22 PAX.wmv" 
hereinafter Gharani video. PE 66 for ID is a 
CD that contains both files I reviewed. The Gharani 
video depicts portions of a military operation in the 
Farah Province, Afghanistan. The Gharani video 
reveals operational code words associated with the 
mission. The video also reveals operational 
activities including troop movements and weapons 
systems. Finally, the video includes specific 
information contained on the heads— up display. 

Eighteen . After my review of the above 
referenced documents for USCENTCOM J3 equities, I 
Forwarded my conclusions and recommendations to 
Deputy Commander, USCENTCOM, an Original 
Classification Authority, for his final determination 
as to whether the information is properly classified. 

Your Honor, the United States moves to 



Provided by Freedom of the Press Foundation 



1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 



UNOFFICIAL DRAFT - 6/11/13 Morning Session 

94 

admit, prosecution exhibits 88 and 89 for 
identification as prosecution exhibits 88 and 89. 

MR. HURLEY: No objection, ma'am. 

THE COURT: All right. Prosecution exhibits 
88 and 89 are admitted. May I see them, please? 

Plaintiff's exhibits 88 and 89 are admitted. 

MR. FEIN: Ma'am, the United States moves to 
admit prosecution exhibits 86 and 90 for identification 
as prosecution exhibits 86 and 90. 

MR. HURLEY: No objection, ma'am. 

THE COURT: All right. Prosecution exhibits 
86 and 90 are admitted. 

MR. Von ELTEN: Your Honor, I have 
prosecution exhibit of Mr . Jacob Grant . 

THE COURT: That's 106? 

MR. Von ELTEN: Yes, ma'am. 

THE COURT: Proceed. 

MR. Von ELTEN: It is hereby agreed by the 
accused, defense counsel and trial counsel that if Mr. 
Jacob Grant were present to testify during the merits and 
pre-sentencing phases of this court-martial, he would 
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testify substantially as follows : 

One. I currently serve as Contract Task Lead 
for CCJ6, assigned to the Active Cyber Defense Branch at 
U . S Central Command ' s Headquarters USCENTCOM on MacDill 
Air Force Base in Florida. In this capacity, I am 
responsible for conducting various levels of cyber 
operations for USCENTCOM and Overseas Areas of 
Responsibility including computer network defense 
activities, computer network attack planning and 
analysis, and the analysis and reverse engineering of 
computer network exploitation activities in order develop 
effective countermeasures . 

I am the lead for our "in-house" Computer 
Emergency Response Team, CERT. In this capacity, I 
perform in-depth forensic analysis of CND alerts, flow 
analysis, or interpretation of threat information to 
include security compromises, network intrusions, and 
malicious logic outbreaks . I have held this position for 
four and a half years . At the time of my involvement in 
this case, I was the Senior INFOSEC Analyst with the 
Information Assurance Branch of the J6 USCENTCOM. I have 
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also been an IA watch officer, a senior analyst., and a 
senior engineer. I served for two years as an enlisted 
airman working in technical control and network 
engineering . 

Two. I am a certified information systems 
security professional, CISSP, 2008. I have a Top 
Secret/SCI security clearance. I have associate 
degrees in Electronic Systems Technology and 
Avionics Systems Technology. I am a Cisco Certified 
Network Associate, CCNA, 2003, and a CORE Impact 
Certified Professional, CICP, 2013. Some of the 
network security and associated training I have 
received includes : McAfee Network Security Platform 
Administration, 2013; ArcSight ESM Use Case 
Foundations, 2012; EnCase Computer Forensics 1, 2012; 
Arc Sight Logger 5.0 Administration and Operations, 
2011; Basic Malware Analysis Using Responder 
Professional, 2010; Ethical Hacking, 2008; McAfee 
Host— Based Security Systems, 2007; Information 
Technology Service Management, ITSM, 2007; and Cisco 
Securing Networks w/ PIX & ASA, SNPA, 2007. 
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Three . I became involved in this case 
for two reasons. From 19-20 August 2010, I was 
involved in the collection and transfer of audit logs 
from the USCENTCOM SharePoint on the USCENTCOM 
SIPRNET web server. At this time, I was also 
involved in the identification, collection, and 
transfer of information housed within that SharePoint 
site. Our collection focused on the SharePoint 
because I had identified it as the location of 
charged documents based upon the SIPRNET web page 
address of those documents. 

Further, Special Agent John Wilbur, with 
whom I was working, was interested in the contents of 
the USCENTCOM JAG folder. 

Four. The USCENTCOM SharePoint server is 
a tool to create an internet interface that allows 
users with access to the site on SIPRNET to 
collaborate, for example, by sharing files. The 
SharePoint itself is only accessible via SIPRNET, so 
a user must access it via secure systems . At that 
time, it was identified at IP addresses 
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131.240.47.23, for the SharePoint database cluster, 
131.240.47.6, and 131.240.47.7, for the web portal 
front end or the portion accessible by SIPRNET users. 
The database as a whole occupied several terabytes of 
space. The server supporting it, from which I pulled 
the logs and other information at issue, is 
physically housed on virtual machines within a 
cluster, in a data center, on a storage area network. 
Only authorized USCENTCOM Headquarters J-6 personnel 
are granted access to the facility. The data center 
is protected by badge access, cipher locks, video 
surveillance, and an access roster. 

Five . The audit logs I referenced herein 
are Internet Information Systems, IIS, or Windows 
server log files, which capture the IP address of the 
USCENTCOM SharePoint server. The logs do not capture 
any remote or external IP addresses. The logs only 
capture the dates and times documents are accessed on 
the SharePoint server, as well as related activity on 
the SharePoint server . 

Six. For collection as evidence by SA 
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Wilbur, these logs were pulled by the internet server 
maintenance team. I know this because I was there 
when they retrieved the information. These logs 
saved in a standard text file, or .txt format. I 
burned these logs onto a hard drive and also onto a 
DVD . I know these devices were clean of data because 
I personally wiped all information from the hard 
drive and laptop, and created the image for the hard 
drive on which the logs were burned. Further, I 
performed a hash value match to verify that the logs 
provided were saved accurately onto the disk . The 
DVD was red. I marked it with the title CIE 
underscore USR underscore DATA. This DVD contained 
the files CENTCOM underscore CIE underscore 
SharePoint dash HASH underscore MDSSHAl.pdf, 
CENTCOMHQ underscore CIE underscore SharePoint dash 
HASH underscore MDSSHAl.txt, webl.zip, and web2.zip. 

The first two files contain the hash 
value information validating the accuracy of the log 
information collected. Webl.zip contained the web 
log data from 1 December 2009 until 30 July 2010, 
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pertaining to the USCENTCOM server assigned IP 
address 131.240.47.6. Web2.zip contained web log 
data from 1 April 2010 until 30 July 2010, pertaining 
to the USCENTCOM server assigned to IP address 
131.240.47.7. Prosecution Exhibit 108 for 
Identification are these SharePoint server logs . 

Seven. After burning the log information 
to the DVD, I signed the evidence to SA Wilbur using 
the provided DA Form 4137 Evidence Property Custody 
Document. The disk was recorded on a DA Form 4137 
labeled as document number 122-10. I recognize this 
as Bates number 00411111. I know this because I 
signed that form and recognize my signature on it. I 
would recognize the evidence itself because I wrote 
the label on the disk and burned it . I did not alter 
the information or the devices on which it was housed 
in any way. 

Eight . The information housed on the 
SharePoint server, mentioned previously, was accessed 
via SIPRNET and located in the JAG folder on the 
USCENTCOM SharePoint page. We collected this 
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information for two reasons. First, collecting this 
information shows what content was originally 
available on the USCENTCOM server to SIPRNET users. 
Second, this information helps put the log data we 
collected into context . 

Nine . I assisted SA Wilbur in collecting 
this information from the SharePoint server. To 
retrieve it, we used two blank CCIU SATA hard drives. 
I know these are clear hard drives because, in 
accordance with USCENTCOM policy, I scanned them for 
malware and viruses before they were used to gather 
the evidence. Having found none, I knew they were 
suitable for evidence collection. To collect this 
information, we also used an approved CCIU laptop. I 
hooked this laptop to the SIPRNET using a CCIU-issued 
USB cable and drive dock. We then connected the 
previously scanned hard drive to the laptop. SA 
Wilbur used that connection to recover the 
information at issue. 

Ma'am, the United States moves to admit 
prosecution exhibit 108 for identification as 
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prosecution exhibit 108. 

MR. HURLEY: No objection, ma'am. 

THE COURT: All right. May I see it, please? 

MR. Von ELTEN: Your Honor, if we may mark 
this for the next recess . 

THE COURT: That's fine. 

MR. Von ELTEN: Your Honor, I have 
prosecution exhibit 72 which is the stipulated expected 
testimony of special agent John Wilbur. 

THE COURT: Proceed. 

MR. Von ELTEN: It is hereby agreed by the 
Accused, Defense Counsel, and Trial Counsel, that if 
Special Agent John Wilbur were present to testify during 
the merits and pre-sentencing phases of this 
court-martial, he would testify substantially as follows: 

One . I am currently the senior Special Agent 
at the computer forensic unit in the office of the 
Special Inspector General for the Troubled Asset 
Relief Program, TARP, at the Treasury Department. In 
this position, I collect and examine digital evidence 
to support criminal investigations . I have held this 
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position since January of 2012. Previously, I was an 
SA for the Department of the Army ' s Criminal 
Investigation Command, CID, Computer Crimes and 
Investigative Unit, CCIU. I held that position from 
June of 2010 to January of 2012. As a CCIU SA, I 
investigated the unauthorized exfiltration of 
classified and sensitive data and the loss of 
personally identifiable information, PII, data 
worldwide . I also investigated intrusions into 
Army computer systems . I currently have over twenty 
years of law enforcement experience, fifteen of which 
have been primarily devoted to conducting complex 
criminal and administrative cyber-related 
investigations . 

Two . I have had substantial training to 
qualify me for my position. I received Department of 
State law enforcement training in 2005, CID law 
enforcement training in 2002, and Police Officer 
Training in 1990. In addition to the 

evidence-handling training included in these courses, 
I also attended the Advanced Crime Scene 
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Investigations course at the Federal Law Enforcement 
Training Center in Glynco, Georgia, May 2008. 

At the time of my involvement in this 
Investigation, my cyber security and forensic 
evidence experience was extensive . Among other 
courses, I had attended multiple courses put on by 
Guidance Software, the makers of the EnCase forensic 
tool; I had attended the Seized Computer Evidence 
Recovery Specialist Certification Course, October 

2001, at the Federal Law Enforcement Training Center; 
and I had attended FT210, Windows Forensic 
Examinations through the Defense Cyber Investigations 
Training Academy, DCITA. Further, I had obtained 
training in Law Enforcement Technology, April 

2002, through the University of Pittsburgh; Advanced 
Data Recovery, March 2001, and Basic Data Recovery, 
January 2000, at the National White Collar Crime 
Center; Operational Information Security I and II, 
July 2000, at the Defense Information Security 
Agency; and Computer Search and Seizure, June 2000, 
through the FBI Academy. 
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I have continued to develop my skills and 
expertise . I have attended training in Windows 7 
Forensics at Access Data, December 2010, the Computer 
Incident Response Course, April 2011, and a course on 
Introduction to Networks and Computer Hardware, 
December 2010, through DCITA. 

Three . My role in this case was to 
assist in witness interviewing and data collection. 
I collected evidence from the United States Central 
Command USCENTCOM server and from the Department of 
State server . 

In collecting the USCENTCOM materials, I 
worked with Mr. Jacob Grant to collect both the 
server logs as well as information from a particular 
folder . 

Four . When collecting and handling 
evidence, I follow several general procedures. After 
collection, I review the evidence property custody 
document for the appropriate information . I fill out 
the date, time, place of collection and describe the 
evidence collected. I record, for example, serial 
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numbers, markings for identification, and condition 
description matching the associated evidence . 
Further, I ensure that the necessary information, 
such as date and time, are properly and accurately 
recorded. 

Lastly, I maintain secure custody of the 
evidence prior to transferring it to another 
individual . In addition to following these 
procedures, when transferring to or receiving 
evidence from another person, I am also sure to 
properly sign, date, and note the reason for the 
transfer . 

Five. From the USCENTCOM server, Mr. 
Grant and I collected information from the 
USCENTCOM SharePoint site as well as the audit logs 
which track access to the site. I was interested in 
this information so that investigators could compare 
compromised information regarding the Farah 
investigation to information on the USCENTCOM server, 
and so that investigators could identify computers 
which were used to retrieve potentially compromised 
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material. Before Mr. Grant or I accessed, imaged, 
searched for, or extracted any information, we needed 
special authorization from MG Jones, Chief of Staff, 
USCENTCOM. CCIU forwarded a formal written request 
through the Office of the Staff Judge Advocate to the 
USCENTCOM J6 requesting release of this evidence on 9 
August 2010. This request was approved on 19 August 
2010. The same day, I worked with Mr. Grant to 
prepare for evidence collection by getting in order 
the equipment we would need for collection. Mr. 
Grant ensured that the laptop, hard drive, and cables 
we would need were clean of any data and ready for 
use . 

Six. The following day, Mr. Grant 
collected from the J6 shop a DVD containing the audit 
logs for the USCENTCOM SharePoint server. The logs 
show, among other things, the date and time USCENTCOM 
documents were accessed on the SharePoint server, 
from December 2009 until August 2010. On 20 August 
2010, he signed that evidence over to me. I took 
possession using the evidence handling procedures I 
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describe herein including, but not limited to, 
documenting it on an Evidence Property Custody 
Document DA Form 4137, labeled as document number 
122-10, Bates number 00411111. Later that same day, 
I properly signed that evidence over to the CCIU 
Evidence Custodian, Ms. Tamara Mairena. At no point 
did I alter the DVD or its contents. I have no 
reason to believe it suffered damage or contamination 
in any way. 

Seven. In addition to collecting the 
logs, I worked further with Mr. Grant to access and 
collect information from the USCENTCOM SharePoint 
collaboration space on the USCENTCOM server. 
SharePoint is a tool produced by the Microsoft 
Corporation to create an internet interface which 
allows users with access to a SIPRNET website to 
collaborate, for example, by sharing files. The 
USCENTCOM SharePoint itself is only accessible via 
SIPRNET, so a user must access it via secure systems 
and a proper security clearance . The server 
supporting it, from which Mr. Grant pulled the logs, 
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is on virtual machines within a cluster, in a data 
center, on a storage area network Only authorized 
USCENTCOM headquarters J6 personnel are granted 
access to the facility. The data center is protected 
by badge access, cipher locks, video surveillance, 
and an access roster. This information was located 
on SIPRNET in the JAG folder on the USCENTCOM 
SharePoint page. Mr. Grant assisted me in locating 
it on the system. We sat at his workstation to pull 
the folder contents . We knew where to focus our 
search based on Mr. Grant's SIPRNET web page address 
identifications of the information at issue and 
because investigators in the case had cause to 
suspect the charged information was housed in the 
USCENTCOM JAG folder. 

In consultation with investigating 
forensic examiner SA Dave Shaver, we determined the 
most forensically sound way to collect the Farah 
information itself, as well as information about how 
it was accessible on SharePoint, was to navigate 
through the series of digital folders to download the 
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Farah file itself. As we navigated through the 
folder structure on the SharePoint server, we took 
screenshots of the contents of each folder before we 
entered the subsequent folder. A screenshot is the 
process of obtaining a digital copy of the computer 
screen, similar to a photograph. 

Eight. During the morning of 20 August 
2010, I connected, via a USB cable, a CCIU-issued 
Voyager drive dock to the laptop which accessed the 
SharePoint server via a USB cable. I connected a 
400GB Seagate Barracuda, SATA hard drive, serial 
number 3NFODYJI, to the laptop using the drive dock 
and assigned that drive the letter X. Using 
Microsoft's Internet Explorer, I navigated to the 
SIPRNET web page www.nonrel.cie.centcom.smil.mil. 
From this screen, I clicked on the Organization link. 
I created a screen capture of this page and saved it 
in a folder in the Desktop Directory called screen 
shots. From this screen, I clicked on the 
Special Staff link. I created a screen capture of 
this page and saved it in the screen shots folder. 
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From this screen, I clicked on the Judge Advocate 
link. I created a screen capture of this page and 
saved it in the screen shots folder. From this 
screen, I clicked on the JA Document Page link. I 
created a screen capture of this page and saved it in 
the screen shots folder. From this screen, I clicked 
on the folder icon Investigations . I created a 
screen capture of this page and saved it in the 
screen shots folder. From this screen, I clicked on 
the folder icon Farah. I created a screen capture of 
this page and saved it in the screen shots folder. 
The folder Farah contained the following sub-folders : 
Admin Material, Briefs, Email, Investigations Tabs, 
Repotis and EXSUMs, Timelines, and Videos. I 
navigated to each of the sub-folders and created a 
screen capture for each page then saved it in the 
screen shots folder. The screen shots showed how the 
SharePoint portal was arranged and the path to the 
Farah folder . 

Nine . Prosecution Exhibit 65 for 
identification is a computer printout that shows the 
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file names and their associated paths that we 
navigated. It is a printout of a directory listing 
showing the filenames of each file and folder 
contained within the Farah folder on the USCENTCOM 
Server with individual line numbers printed to the 
left of the listing. It lists the first level of 
subf older s within the Farah folder alphabetically, 
and then lists the filenames of the first subf older. 
The document continues this process of listing 
subfolder names recursively, until all files and 
their filenames in all subfolders have been listed. 

Ten. Later in the day on 20 August 2010, 
I recreated the folder Farah on the Desktop Directory 
of the laptop and included all of the subfolders that 
resided in the Farah folder. I then downloaded each 
individual file contained in the folder Farah into 
the same location inside the recreated Farah folder 
on the Desktop Directory of the laptop computer. 
After verifying that all of the files downloaded 
correctly, I installed EnCase version 6.14.3 on the 
laptop computer. Using EnCase, I created a logical 
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evidence file of the folder Farah and all of its 
sub-folders. The logical evidence file was named 
JA-Investigations-Farah Folder. LOI. An MD5 hash of 
4 6ell229a5d678cabf 9c3fa6839f 662c was obtained and 
recorded. The logical evidence file of the folder 
Farah was placed in a folder named EnCase on the root 
of the X drive connected to the laptop. I also 
copied the recreated Farah folder and all of the 
sub— folders and placed them onto the root of the X 
drive. Subsequently, the folder Screen Shots was 
then copied and placed on the root of the X drive as 
well . 

Eleven. When beginning the process of 
navigating through the JAG folder to obtain the Farah 
contents, I was not required to enter any login or 
password window on the main page . I was able to 
navigate to any page and access all folders and 
documents in the document library, including the SJA 
Investigations folder and the Farah folder without 
ever entering any authentication or credential 
information. In the Farah folder, all of the video 
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files were password protected, including a file named 
BE22 PAX. zip containing a video named BE22 PAX.wmv. 
We therefore also requested and received the password 
to unlock the file named BE22 PAX. zip and the other 
videos from USCENTCOM. PE 66 for Identification is a 
CD containing the file named BE22 PAX. zip and the 
video file named BE22 PAX.wmv. PE 67 for 
Identification contains the password for the file 
named BE22 PAX. zip which I received from USCENTCOM. 

Twelve. Later on 20 August 2010, I 
connected a second 400GB Seagate Barracuda, SATA hard 
drive, serial number 3NFOHTG4 , to the laptop using 
the drive dock and assigned that drive the letter Y. 
I then recreated the process a second time placing 
the folder EnCase, containing the EnCase logical 
evidence file for the folder Farah, the recreated 
folder Farah, and the folder Screen Shots onto the 
root of the Y drive . The second evidence drive was 
created as a backup in case the first evidence drive 
suffered a failure. 

Thirteen . I later collected as evidence 
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two SATA hard drives . These SATA hard drives each 
contained images of three folders, EnCase, Farah, and 
Screen Shots, copied from the USCENTCOM SharePoint 
server IP address 131.240.47.23, which was documented 
on Evidence Property Custody Document, Document 
Number 123-10, identified at Bates number 00411113. 
In processing this material, I handled and 
transferred the evidence as I have been trained. At 
no point did I alter any evidence I collected. I 
have no reason to believe this evidence was 
contaminated or damaged in any way. On 20 August 
2010, I properly signed this evidence over to Ms. 
Tamara Mairena, the CCIU Evidence Custodian. I did 
not touch this evidence again. 

Fourteen. Finally, I took possession of 
firewall logs from the Department of State from SA 
Ron Rock. I took possession of this evidence on 15 
October 2010. He provided this information on a 
silver CD marked with the words WikiLeaks DoS 
Firewall Logs 13 October 2010. The CD had a red 
U.S. Government Secret sticker on it . I recognize it 
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as an official sticker because I have handled 
classified information before. I handled this 
evidence consistent with procedures as I have been 
trained and previously described. 

Upon taking custody, I checked to ensure 
the evidence I was receiving matched the description 
on the DA Form 4137, labeled as DN 151-10, 
Item I, identified at Bates number 00411151. I 
checked the date, time, and other collection 
information. And finally, I signed in the Received 
By column. While in possession of this evidence, I 
maintained positive control . I did not alter the 
information on the CD . I have no reason to believe 
this evidence was damaged or contaminated in any way . 
On 18 October 2010, I properly signed this evidence 
over to Ms. Mairena, the CCIU evidence custodian. I 
did not touch this evidence again. PE 68 for 
identification is DN 151-10, Item 1. 

And the United States moves to admit 
prosecution exhibits 65, 67 and 68 for identification 
as prosecution exhibits 65, 67 and 68 respectively. 
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MR. TOOMAN: No objection. 

THE COURT: May I see them, please? 

Prosecution exhibits 67 for identification is 

admitted. 

Counsel, I have prosecution exhibit 67, but I 
have a CD and it says 66. 

MR. FEIN: 66 has already been admitted, 

ma 'am. 

THE COURT: I know, but there's nothing in 

67. 

MR. FEIN: I will retrieve those two exhibits 
from the court reporter. 

Ma ' am, there is a document marked in this 
folder. There is a single page document that accompanies 
the CD. 

THE COURT: And prosecution exhibit 68 is 
admitted. 67 is admitted. 

Now, I have 44 here, is that another one 

that — 

MR. FEIN: No, ma'am. 

Ma ' am, also we have found in the bag 
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prosecution exhibit. 108 earlier that, was to be marked 
prior to the recess . 

THE COURT: Prosecution exhibit 108 is 

admitted. 

I'm looking at the time. How do the parties 
want to proceed? 

MR. FEIN: Ma'am, the United States 
recommends we take our lunch recess . 

THE COURT : All right . How long would you 

like? 

MR. FEIN: Hour and 15 minutes, ma'am. 
THE COURT: All right. 

MR. FEIN: We're also trying to set up a 
phone call for the defense to talk to an certain witness . 
If that happens, we might ask for more time during the 
recess . 

THE COURT: What do you think the likelihood 
of success is in that? Do you just want to make it 1:30? 

MR. COOMBS: No objection to that, ma'am. 
THE COURT: Court is recessed until 1:30. 
(LUNCH RECESS. ) 
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